CDD requirements for payroll and bookkeeping firms

Customer due diligence (CDD) is triggered the moment a business relationship starts. For payroll and bookkeeping services, that means before you carry out any work, handle any client money or access client data.

CDD is your way of confirming who the client is, understanding the purpose of the relationship and assessing the risk they pose. Without completing the full process, you can’t show that you’ve met your legal duties under Regulation 27 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).

When does a business relationship begin?

The law defines a business relationship in Regulation 4 of the MLRs as:

“a business, professional or commercial relationship between a relevant person and a customer, which— (a) arises out of the business of the relevant person, and (b) is expected by the relevant person, at the time when contact is established, to have an element of duration.”

This means more than completing digital AML checks. You should:

• identify the ultimate beneficial owners;
• complete and record the client risk assessment before you process data or payments;
• show on record that you understand who your client is and what they do;
• identify their source of wealth and funds;
• understand your client’s business;
• carry out PEP and Sanctions checks, and adverse media screening;
• keep records of all your CDD steps; and
• make CDD an ongoing process.

If you start work or process payments before CDD is complete, you’re technically non-compliant, even if you collect the documents later.

Common mistakes to avoid

Many businesses still treat CDD as a tick-box exercise, especially when it comes to payroll or bookkeeping. But under the MLRs, access to financial data, payroll records or client bank information is enough to recognise a money-laundering risk.

The most common mistakes stem from misunderstanding what CDD really involves. It’s not just about verifying a client’s ID. It’s about understanding who they are, where their money comes from and whether they pose a risk to your business.

Some of the most frequent CDD pitfalls include:

Verifying only the contact person

Many businesses verify the individual they deal with but not the beneficial owners. Under Regulation 28, you must identify and verify the ultimate beneficial owner(s) (UBO): the person(s) who ultimately owns or controls the client. That is shareholders with more than 25% shareholding and those that take the decisions in running the business.

Checking ID but not identity

Online AML checks often confirm that someone’s identity exists, but they don’t always prove the person using them is who they claim to be. You have an obligation to verify that the client is who they say they are by meeting the ultimate beneficial owners in person and seeing their original government issued ID documents, by asking them to visit a suitable local professional who can certify the documents, or by asking them to complete online biometric ID checks.

Relying on outdated information

Once CDD is complete, it must be kept current. Payroll or bookkeeping relationships are ongoing, so you need to refresh CDD when ownership, structure or activity changes.

Overlooking the source of funds and wealth

Understanding how clients generate their income and where the money being processed originates is central to CDD. If these don’t align with the client’s profile or business model, you would need to investigate further by applying enhanced due diligence (EDD) measures and consider if a SAR report is necessary.

Skipping the client risk assessment

A Client Risk Assessment is an integral part of CDD. The depth of your CDD depends on the risk rating of the client and verifying ID without a risk assessment is not complying with the MLRs.

Failing to apply enhanced due diligence (EDD)

High-risk clients, such as those linked to high-risk jurisdictions, PEPs or complex corporate structures, require additional verification steps. Learn more about enhanced due diligence.

Neglecting ongoing monitoring

CDD is not a one-off event. You must continually review the relationship to spot new risks or changes in behaviour that don’t fit your understanding of the client’s business.

These mistakes share one theme: treating CDD as a formality instead of a living process. Done properly, it gives you a complete picture of your client, helping you protect your business from being used to facilitate money laundering or other financial crimes.

The easiest solution

For bookkeepers and payroll providers, the safest approach is to treat CDD as the first step in every engagement, not as an afterthought. Build it into your onboarding checklist, use systems that prompt updates, and keep your evidence organised and accessible.

This way, if your supervisor ever asks when you did your CDD, you can show that it was done at exactly the right time: before you started the work.